We present a pointer and array access checking technique that provides complete error coverage through a simple set of program transformations. Our technique, based on an extended safe pointer representation, has a number of novel aspects. Foremost, it is the first technique that detects all spatial and temporal access errors. Its use is not limited by the expressiveness of the language; that is, it can be applied successfully to compiled or interpreted languages with subscripted and mutable pointers, local references, and explicit and typeless dynamic storage management, e.g., C. Because it is a source level transformation, it is amenable to both compile- and run-time optimization. Finally, its performance, even without compile-time optimization, is quite good. We implemented a prototype translator for the C language and analyzed the checking overheads of six non-trivial, pointer intensive programs. Execution overheads range from 130 % to 540%; with text and data size overheads typically below 100%.

INTRODUCTION The need for run-time checking of array subscripts and pointer bounds is apparent to any experienced C programmer. For example, it once took six months to find the cause of an intermittent bug because it could not be reliably reproduced. Saying that some other language should have been used instead of C is not productive, as each language has its problems, and there are usually several constraints that lead to the choice of a particular language. A language may do run-time checking by definition or through a standard implementation, e.g. SNOBOL4, or make it easy to implement run-time checking of pointers, e.g. ALGOL 68 requires the run-time maintenance of pointer bounds for use by the lower- and upper-bound operators. 2 A language may restrict operations on pointers, such as PL/1 or Pascal, 4 ' 5 thus eliminating some types of run-time errors. However, the C language allows completely unrestricted use of pointers, including pointer arithmetic and conversion o

this paper, we propose a simple technique that works equally well for both of these latter two types of semantics, and whose efficiency compares favorably for certain realistic programs with more traditional implementations of these semantics. Furthermore, we provide a mechanism for using this technique through Ada implementations of two abstract data types where undefined variables respectively exhibit these two types of semantics, and whose implementations of these semantics use our technique. These abstract data types allow our technique to be selectively used in strictly those situations where the cost of the technique is justified. We provide practical examples illustrating these situations